Monitoring and troubleshooting telecommunications networks typically requires end-to-end tracking of user sessions. Each session comprises packets or IP packets sent over multiple legs or hops starting at a network access point and traversing the telecommunications networks through gateways to an application server or data server. The packets on each leg are identified as belonging to a specific session, and all the packets for each session combined into a session record. A service provider can verify that the data network is working properly by tracking user calls all the way through the networks from the user equipment to a destination server.
This task is complicated by the presence of Network Address Translation (NAT) firewalls in telecommunications networks. The NAT firewalls may be part of a router, server or other node in the telecommunications network. The NAT firewalls modify inbound and outbound network addresses in IP packet headers and, for some application protocols, perform other packet modifications to data in the OSI (Open Systems Interconnection) layers.
NAT firewalls may be used for network masquerading, for example, hiding an entire private address space of an operator and only exposing the public IP addresses of the NAT device to outside devices. As a result, all packets from the private network appear to have originated from the NAT device since the actual IP address of devices behind the NAT are hidden from outside devices. Internally, NAT functionality is typically implemented via dynamic address and port number translation tables.
The NAT firewall provides numerous advantages in the telecommunications network. A local network on one side of the NAT firewall can use just one IP address as far as outside world is concerned. The local network using the single NAT IP address does not require its Internet Service Provider (ISP) to reserve a range of addresses for each of the devices in the local network. Also, addresses within the local network can be changed without needing to notify other devices on the other side of the NAT firewall, which continue use of the address of the NAT gateway.
However, network monitoring devices that capture or analyze packets from legs on opposite sides of a NAT firewall are unable to use packet address information to determine which IP packets are associated with each other because the NAT firewall modifies the packets address information. For outgoing packets, the NAT firewall replaces the source IP address/port number of every outgoing packet to the NAT IP address and a new port number. Remote clients and servers respond to these outgoing packets using the NAT's IP address and the new port number as a destination address. The NAT stores every pair of source IP address/port number and NAT IP address/new port number in a NAT translation table. For incoming packets, the NAT firewall replaces the NAT IP address/new port number in the destination fields of every incoming packet with the corresponding source IP address/port number stored in NAT table.
Monitoring devices deployed at interfaces or on legs that are on opposite sides of the NAT firewall cannot correlate flows on those interfaces or legs using IP address information since addresses and ports in the packets on opposite sides of the NAT firewall are quite different and, therefore, typical packet association mechanisms will fail.